Frequently Asked Question
Can I combine sections from different versions of the PCI DSS?`
No. When validating compliance, either through a Report on Compliance (ROC) or a self-assessment questionnaire (SAQ), requirements should not be ‘combined’ from two versions of the standard – validation must be to one version in its entirety.
When the PCI DSS is updated, it is understood that organizations may need time to complete their transition from a previous version to the current one. During this transition, their environment may reflect aspects of both versions of the standard. However, when it comes to reporting and validating compliance, only one version can be used.
As always, entities with specific questions about how to report their compliance validation should consult with their acquirer (merchant bank) or payment brand, as applicable..
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?